7.5
CVE-2026-40972
- EPSS 0.12%
- Veröffentlicht 27.04.2026 23:15:19
- Zuletzt bearbeitet 30.04.2026 14:26:30
- Quelle security@vmware.com
- CVE-Watchlists
- Unerledigt
LoginAn attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Boot Version < 2.7.33
VMware ≫ Spring Boot Version >= 3.3.0 < 3.3.19
VMware ≫ Spring Boot Version >= 3.4.0 < 3.4.16
VMware ≫ Spring Boot Version >= 3.5.0 < 3.5.14
VMware ≫ Spring Boot Version >= 4.0.0 < 4.0.6
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.305 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@vmware.com | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-208 Observable Timing Discrepancy
Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.